Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    50 vulnerabilities by wclovers

    CVE-2026-12994 (GCVE-0-2026-12994)

    Vulnerability from nvd – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller
    Summary
    The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.
    CWE
    Assigner
    Impacted products
    Credits
    Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:48.289Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/676b4637-a2c7-4a95-b644-bb0401f91b40?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L321"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L48"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/controllers/enquiry/wcfm-controller-enquiry-manage.php#L278"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/controllers/enquiry/wcfm-controller-enquiry-manage.php#L290"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-frontend.php#L1197"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L321"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L48"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/controllers/enquiry/wcfm-controller-enquiry-manage.php#L278"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/controllers/enquiry/wcfm-controller-enquiry-manage.php#L290"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-frontend.php#L1197"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588570%40wc-frontend-manager\u0026new=3588570%40wc-frontend-manager"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-23T13:28:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:57:45.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce \u003c= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12994",
        "datePublished": "2026-07-11T05:35:48.289Z",
        "dateReserved": "2026-06-23T13:13:29.081Z",
        "dateUpdated": "2026-07-11T05:35:48.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12126 (GCVE-0-2026-12126)

    Vulnerability from nvd – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title'
    Summary
    The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Nadir Şensoy
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nadir \u015eensoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment \u0027post_title\u0027 in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:48.980Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/881ec131-a716-4929-a44e-84bac161d81c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/controllers/media/wcfmmp-controller-media.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/controllers/media/wcfmmp-controller-media.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/core/class-wcfmmp-media.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/controllers/media/wcfmmp-controller-media.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/core/class-wcfmmp-media.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/controllers/media/wcfmmp-controller-media.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588629%40wc-multivendor-marketplace\u0026new=3588629%40wc-multivendor-marketplace"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-12T15:31:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:41:41.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment \u0027post_title\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12126",
        "datePublished": "2026-07-11T05:35:48.980Z",
        "dateReserved": "2026-06-12T15:16:02.267Z",
        "dateUpdated": "2026-07-11T05:35:48.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10041 (GCVE-0-2026-10041)

    Vulnerability from nvd – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers
    Summary
    The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    mrholmes papadope
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mrholmes"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "papadope"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors\u0027 products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:50.395Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3f88a18-5439-4759-ae9f-168f5efc3264?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L746"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L779"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L810"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L395"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-notification.php#L1132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L746"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L779"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L810"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L395"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-notification.php#L1132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588570%40wc-frontend-manager\u0026new=3588570%40wc-frontend-manager"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T20:07:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:42:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce \u003c= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10041",
        "datePublished": "2026-07-11T05:35:50.395Z",
        "dateReserved": "2026-05-28T19:52:33.345Z",
        "dateUpdated": "2026-07-11T05:35:50.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3688 (GCVE-0-2026-3688)

    Vulnerability from nvd – Published: 2026-07-08 11:35 – Updated: 2026-07-08 15:01
    VLAI
    Title
    WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite
    Summary
    The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio (Os)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3688",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T15:00:56.429002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T15:01:02.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio (Os)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the \u0027wcfmvm_membership_change\u0027 AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user\u0027s role to \u0027wcfm_vendor\u0027 by changing their membership plan."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T11:35:40.708Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a934ccd-9330-4585-9994-838940d24980?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3520777/wc-multivendor-membership"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-03-07T00:00:35.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-07T23:34:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Multivendor Membership \u003c= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3688",
        "datePublished": "2026-07-08T11:35:40.708Z",
        "dateReserved": "2026-03-06T23:43:39.850Z",
        "dateUpdated": "2026-07-08T15:01:02.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2554 (GCVE-0-2026-2554)

    Vulnerability from nvd – Published: 2026-05-02 13:26 – Updated: 2026-05-05 00:28
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2554",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T00:27:51.784740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T00:28:04.886Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the \u0027wcfm_delete_wcfm_customer\u0027 due to missing validation on the \u0027customerid\u0027 user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-02T13:26:09.653Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3483695/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-15T17:35:31.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2554",
        "datePublished": "2026-05-02T13:26:09.653Z",
        "dateReserved": "2026-02-15T17:16:55.850Z",
        "dateUpdated": "2026-05-05T00:28:04.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4896 (GCVE-0-2026-4896)

    Vulnerability from nvd – Published: 2026-04-04 07:42 – Updated: 2026-04-08 17:33
    VLAI
    Title
    WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4896",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T16:46:50.763567Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T16:47:45.630Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:54.728Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-02-13T21:38:45.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-03T19:36:31.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Frontend Manager \u003c= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4896",
        "datePublished": "2026-04-04T07:42:00.432Z",
        "dateReserved": "2026-03-26T14:26:49.942Z",
        "dateUpdated": "2026-04-08T17:33:54.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1722 (GCVE-0-2026-1722)

    Vulnerability from nvd – Published: 2026-02-10 07:27 – Updated: 2026-04-08 17:25
    VLAI
    Title
    WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation
    Summary
    The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Gibran Abdillah
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1722",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T15:34:36.609626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T15:35:31.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gibran Abdillah"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:25:38.377Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d39ec46d-58c4-40e4-b94a-e7a9fc99291a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/trunk/core/class-wcfmmp-refund.php#L235"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.0/core/class-wcfmmp-refund.php#L235"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3455829%40wc-multivendor-marketplace%2Ftrunk\u0026old=3424081%40wc-multivendor-marketplace%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T18:54:40.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1722",
        "datePublished": "2026-02-10T07:27:00.651Z",
        "dateReserved": "2026-01-30T20:26:54.350Z",
        "dateUpdated": "2026-04-08T17:25:38.377Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0845 (GCVE-0-2026-0845)

    Vulnerability from nvd – Published: 2026-02-09 23:23 – Updated: 2026-04-08 16:50
    VLAI
    Title
    WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:51:00.513226Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:51:38.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the \u0027WCFM_Settings_Controller::processing\u0027 function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:30.345Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4973cef3-dddf-4eb5-99f4-c23a0e162fd6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/controllers/settings/wcfm-controller-settings.php#L150"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php#L285"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3455819/wc-frontend-manager/trunk/controllers/settings/wcfm-controller-settings.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T11:20:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Frontend Manager \u003c= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-0845",
        "datePublished": "2026-02-09T23:23:27.754Z",
        "dateReserved": "2026-01-10T15:14:52.880Z",
        "dateUpdated": "2026-04-08T16:50:30.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15147 (GCVE-0-2025-15147)

    Vulnerability from nvd – Published: 2026-02-09 23:23 – Updated: 2026-04-08 17:21
    VLAI
    Title
    WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment
    Summary
    The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Jing Xuan Sun
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:47:21.782233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:47:58.682Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jing Xuan Sun"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the \u0027WCFMvm_Memberships_Payment_Controller::processing\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users\u0027 membership payments."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:40.486Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T11:17:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace \u003c= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-15147",
        "datePublished": "2026-02-09T23:23:28.319Z",
        "dateReserved": "2025-12-27T13:25:09.137Z",
        "dateUpdated": "2026-04-08T17:21:40.486Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3780 (GCVE-0-2025-3780)

    Vulnerability from nvd – Published: 2025-07-08 23:22 – Updated: 2026-04-08 16:42
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-09T13:15:27.802344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-09T13:15:34.030Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:42:46.567Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-16T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-07-08T11:13:57.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3780",
        "datePublished": "2025-07-08T23:22:48.619Z",
        "dateReserved": "2025-04-17T19:51:29.910Z",
        "dateUpdated": "2026-04-08T16:42:46.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1311 (GCVE-0-2025-1311)

    Vulnerability from nvd – Published: 2025-03-22 06:41 – Updated: 2026-04-08 17:00
    VLAI
    Title
    WooCommerce Multivendor Marketplace – REST API <= 1.6.2 - Authenticated (Subscriber+) SQL Injection
    Summary
    The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Nguyen Tan Phat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T13:18:39.298151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T13:18:47.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Tan Phat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to SQL Injection via the \u0027id\u0027 parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:14.581Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff5cda2-edcd-4fa5-9c8e-427a43802ed1?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/wcfm-marketplace-rest-api/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/trunk/includes/api/class-api-deliveries-controller.php#L303"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3267377/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-21T17:52:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.6.2 - Authenticated (Subscriber+) SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1311",
        "datePublished": "2025-03-22T06:41:12.043Z",
        "dateReserved": "2025-02-14T20:12:02.373Z",
        "dateUpdated": "2026-04-08T17:00:14.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8290 (GCVE-0-2024-8290)

    Vulnerability from nvd – Published: 2024-09-25 06:49 – Updated: 2026-04-08 17:02
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    wclovers WCFM – Frontend Manager for WooCommerce Affected: 0 , ≤ 6.7.12 (semver)
    Create a notification for this product.
    wclovers frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible Affected: 0 , ≤ 6.7.12 (semver)
        cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible",
                "vendor": "wclovers",
                "versions": [
                  {
                    "lessThanOrEqual": "6.7.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:18:37.127324Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:21:08.505Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:02:07.504Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79172fe3-c0cf-48c4-8bc5-862c628c1a09?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.12/controllers/customers/wcfm-controller-customers-manage.php#L97"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156433/wc-frontend-manager/trunk/controllers/customers/wcfm-controller-customers-manage.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T17:50:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8290",
        "datePublished": "2024-09-25T06:49:01.430Z",
        "dateReserved": "2024-08-28T20:42:11.811Z",
        "dateUpdated": "2026-04-08T17:02:07.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-44009 (GCVE-0-2024-44009)

    Vulnerability from nvd – Published: 2024-09-17 23:02 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress WCFM Marketplace <= 3.6.11 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through <= 3.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    WC Lovers WCFM Marketplace Affected: 0 , ≤ 3.6.11 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:27
    Credits
    Le Ngoc Anh | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-44009",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-18T14:12:36.512226Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-18T14:40:08.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wc-multivendor-marketplace",
              "product": "WCFM Marketplace",
              "vendor": "WC Lovers",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.6.12",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.6.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Le Ngoc Anh | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:27:37.080Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.\u003cp\u003eThis issue affects WCFM Marketplace: from n/a through \u003c= 3.6.11.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through \u003c= 3.6.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:16.026Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-3-6-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WCFM Marketplace \u003c= 3.6.11 - Reflected Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-44009",
        "datePublished": "2024-09-17T23:02:19.372Z",
        "dateReserved": "2024-08-18T21:57:50.572Z",
        "dateUpdated": "2026-04-28T16:10:16.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-4960 (GCVE-0-2023-4960)

    Vulnerability from nvd – Published: 2024-01-11 08:33 – Updated: 2026-04-08 17:34
    VLAI
    Title
    WCFM Marketplace <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:44:53.206Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/views/store-lists/wcfmmp-view-store-lists.php#L207"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/core/class-wcfmmp-shortcode.php#L241"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3000763/wc-multivendor-marketplace#file999"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4960",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:55:38.464664Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:08:18.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027wcfm_stores\u0027 shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:34:14.145Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/views/store-lists/wcfmmp-view-store-lists.php#L207"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/core/class-wcfmmp-shortcode.php#L241"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3000763/wc-multivendor-marketplace#file999"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-09-13T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-11-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-4960",
        "datePublished": "2024-01-11T08:33:09.984Z",
        "dateReserved": "2023-09-14T14:25:20.291Z",
        "dateUpdated": "2026-04-08T17:34:14.145Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-2275 (GCVE-0-2023-2275)

    Vulnerability from nvd – Published: 2023-06-09 05:33 – Updated: 2026-04-08 17:15
    VLAI
    Title
    WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
    Summary
    The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'get_item', 'get_order_notes' and 'add_order_note' functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:19:14.586Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2904331/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2275",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T23:23:58.499390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T23:36:48.837Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the \u0027get_item\u0027, \u0027get_order_notes\u0027 and \u0027add_order_note\u0027 functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:51.530Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2904331/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-04-25T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-04-25T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-04-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-2275",
        "datePublished": "2023-06-09T05:33:28.997Z",
        "dateReserved": "2023-04-25T11:42:13.932Z",
        "dateUpdated": "2026-04-08T17:15:51.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10041 (GCVE-0-2026-10041)

    Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers
    Summary
    The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    mrholmes papadope
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mrholmes"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "papadope"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors\u0027 products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:50.395Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3f88a18-5439-4759-ae9f-168f5efc3264?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L746"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L779"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-ajax.php#L810"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L395"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-notification.php#L1132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L746"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L779"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-ajax.php#L810"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L395"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-notification.php#L1132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588570%40wc-frontend-manager\u0026new=3588570%40wc-frontend-manager"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T20:07:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:42:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce \u003c= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10041",
        "datePublished": "2026-07-11T05:35:50.395Z",
        "dateReserved": "2026-05-28T19:52:33.345Z",
        "dateUpdated": "2026-07-11T05:35:50.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12126 (GCVE-0-2026-12126)

    Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title'
    Summary
    The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Nadir Şensoy
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nadir \u015eensoy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment \u0027post_title\u0027 in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:48.980Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/881ec131-a716-4929-a44e-84bac161d81c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/controllers/media/wcfmmp-controller-media.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/controllers/media/wcfmmp-controller-media.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/core/class-wcfmmp-media.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.3/controllers/media/wcfmmp-controller-media.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/core/class-wcfmmp-media.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.2/controllers/media/wcfmmp-controller-media.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588629%40wc-multivendor-marketplace\u0026new=3588629%40wc-multivendor-marketplace"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-12T15:31:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:41:41.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment \u0027post_title\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12126",
        "datePublished": "2026-07-11T05:35:48.980Z",
        "dateReserved": "2026-06-12T15:16:02.267Z",
        "dateUpdated": "2026-07-11T05:35:48.980Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12994 (GCVE-0-2026-12994)

    Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller
    Summary
    The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.
    CWE
    Assigner
    Impacted products
    Credits
    Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-11T05:35:48.289Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/676b4637-a2c7-4a95-b644-bb0401f91b40?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L321"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-enquiry.php#L48"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/controllers/enquiry/wcfm-controller-enquiry-manage.php#L278"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/controllers/enquiry/wcfm-controller-enquiry-manage.php#L290"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.27/core/class-wcfm-frontend.php#L1197"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L321"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-enquiry.php#L48"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/controllers/enquiry/wcfm-controller-enquiry-manage.php#L278"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/controllers/enquiry/wcfm-controller-enquiry-manage.php#L290"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.26/core/class-wcfm-frontend.php#L1197"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3588570%40wc-frontend-manager\u0026new=3588570%40wc-frontend-manager"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-23T13:28:42.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-10T16:57:45.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce \u003c= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12994",
        "datePublished": "2026-07-11T05:35:48.289Z",
        "dateReserved": "2026-06-23T13:13:29.081Z",
        "dateUpdated": "2026-07-11T05:35:48.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3688 (GCVE-0-2026-3688)

    Vulnerability from cvelistv5 – Published: 2026-07-08 11:35 – Updated: 2026-07-08 15:01
    VLAI
    Title
    WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite
    Summary
    The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio (Os)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3688",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T15:00:56.429002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T15:01:02.908Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio (Os)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the \u0027wcfmvm_membership_change\u0027 AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user\u0027s role to \u0027wcfm_vendor\u0027 by changing their membership plan."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T11:35:40.708Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a934ccd-9330-4585-9994-838940d24980?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3520777/wc-multivendor-membership"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-03-07T00:00:35.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-07T23:34:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Multivendor Membership \u003c= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3688",
        "datePublished": "2026-07-08T11:35:40.708Z",
        "dateReserved": "2026-03-06T23:43:39.850Z",
        "dateUpdated": "2026-07-08T15:01:02.908Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2554 (GCVE-0-2026-2554)

    Vulnerability from cvelistv5 – Published: 2026-05-02 13:26 – Updated: 2026-05-05 00:28
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2554",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T00:27:51.784740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T00:28:04.886Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the \u0027wcfm_delete_wcfm_customer\u0027 due to missing validation on the \u0027customerid\u0027 user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-02T13:26:09.653Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3483695/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-15T17:35:31.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2554",
        "datePublished": "2026-05-02T13:26:09.653Z",
        "dateReserved": "2026-02-15T17:16:55.850Z",
        "dateUpdated": "2026-05-05T00:28:04.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4896 (GCVE-0-2026-4896)

    Vulnerability from cvelistv5 – Published: 2026-04-04 07:42 – Updated: 2026-04-08 17:33
    VLAI
    Title
    WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4896",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T16:46:50.763567Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T16:47:45.630Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.25",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via multiple AJAX actions including `wcfm_modify_order_status`, `delete_wcfm_article`, `delete_wcfm_product`, and the article management controller due to missing validation on user-supplied object IDs. This makes it possible for authenticated attackers, with Vendor-level access and above, to modify the status of any order, delete or modify any post/product/page, regardless of ownership."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:54.728Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8248098-dff2-4bac-a138-aa40c7ab7a1c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php?marks=644,880#L644"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-article.php?marks=271#L271"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-02-13T21:38:45.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-03T19:36:31.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Frontend Manager \u003c= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4896",
        "datePublished": "2026-04-04T07:42:00.432Z",
        "dateReserved": "2026-03-26T14:26:49.942Z",
        "dateUpdated": "2026-04-08T17:33:54.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1722 (GCVE-0-2026-1722)

    Vulnerability from cvelistv5 – Published: 2026-02-10 07:27 – Updated: 2026-04-08 17:25
    VLAI
    Title
    WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation
    Summary
    The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Gibran Abdillah
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1722",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T15:34:36.609626Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T15:35:31.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Gibran Abdillah"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:25:38.377Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d39ec46d-58c4-40e4-b94a-e7a9fc99291a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/trunk/core/class-wcfmmp-refund.php#L235"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.7.0/core/class-wcfmmp-refund.php#L235"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3455829%40wc-multivendor-marketplace%2Ftrunk\u0026old=3424081%40wc-multivendor-marketplace%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T18:54:40.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1722",
        "datePublished": "2026-02-10T07:27:00.651Z",
        "dateReserved": "2026-01-30T20:26:54.350Z",
        "dateUpdated": "2026-04-08T17:25:38.377Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15147 (GCVE-0-2025-15147)

    Vulnerability from cvelistv5 – Published: 2026-02-09 23:23 – Updated: 2026-04-08 17:21
    VLAI
    Title
    WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment
    Summary
    The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the 'WCFMvm_Memberships_Payment_Controller::processing' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users' membership payments.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Jing Xuan Sun
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-15147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:47:21.782233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:47:58.682Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "2.11.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jing Xuan Sun"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.8 via the \u0027WCFMvm_Memberships_Payment_Controller::processing\u0027 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify other users\u0027 membership payments."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:40.486Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8d286db-b2a7-46c4-825f-dc67dda8a63d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3455830/wc-multivendor-membership#file436"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-membership/tags/2.11.8/controllers/wcfmvm-controller-memberships-payment.php#L32"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T11:17:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Membership \u2013 WooCommerce Memberships for Multivendor Marketplace \u003c= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-15147",
        "datePublished": "2026-02-09T23:23:28.319Z",
        "dateReserved": "2025-12-27T13:25:09.137Z",
        "dateUpdated": "2026-04-08T17:21:40.486Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0845 (GCVE-0-2026-0845)

    Vulnerability from cvelistv5 – Published: 2026-02-09 23:23 – Updated: 2026-04-08 16:50
    VLAI
    Title
    WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Osvaldo Noe Gonzalez Del Rio
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0845",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T16:51:00.513226Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:51:38.298Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.24",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Osvaldo Noe Gonzalez Del Rio"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the \u0027WCFM_Settings_Controller::processing\u0027 function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:50:30.345Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4973cef3-dddf-4eb5-99f4-c23a0e162fd6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/controllers/settings/wcfm-controller-settings.php#L150"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-ajax.php#L285"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3455819/wc-frontend-manager/trunk/controllers/settings/wcfm-controller-settings.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-03T12:31:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-09T11:20:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM - WooCommerce Frontend Manager \u003c= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-0845",
        "datePublished": "2026-02-09T23:23:27.754Z",
        "dateReserved": "2026-01-10T15:14:52.880Z",
        "dateUpdated": "2026-04-08T16:50:30.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3780 (GCVE-0-2025-3780)

    Vulnerability from cvelistv5 – Published: 2025-07-08 23:22 – Updated: 2026-04-08 16:42
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Brian Sans-Souci
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-09T13:15:27.802344Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-09T13:15:34.030Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.16",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Sans-Souci"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:42:46.567Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26a82493-a6a5-4d8e-8322-942925a54cc3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L74"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.16/core/class-wcfm-admin.php#L81"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-16T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-07-08T11:13:57.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-3780",
        "datePublished": "2025-07-08T23:22:48.619Z",
        "dateReserved": "2025-04-17T19:51:29.910Z",
        "dateUpdated": "2026-04-08T16:42:46.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1311 (GCVE-0-2025-1311)

    Vulnerability from cvelistv5 – Published: 2025-03-22 06:41 – Updated: 2026-04-08 17:00
    VLAI
    Title
    WooCommerce Multivendor Marketplace – REST API <= 1.6.2 - Authenticated (Subscriber+) SQL Injection
    Summary
    The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Nguyen Tan Phat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T13:18:39.298151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T13:18:47.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Tan Phat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to SQL Injection via the \u0027id\u0027 parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:14.581Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff5cda2-edcd-4fa5-9c8e-427a43802ed1?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/wcfm-marketplace-rest-api/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/trunk/includes/api/class-api-deliveries-controller.php#L303"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3267377/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-03-21T17:52:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.6.2 - Authenticated (Subscriber+) SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-1311",
        "datePublished": "2025-03-22T06:41:12.043Z",
        "dateReserved": "2025-02-14T20:12:02.373Z",
        "dateUpdated": "2026-04-08T17:00:14.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8290 (GCVE-0-2024-8290)

    Vulnerability from cvelistv5 – Published: 2024-09-25 06:49 – Updated: 2026-04-08 17:02
    VLAI
    Title
    WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
    Summary
    The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    wclovers WCFM – Frontend Manager for WooCommerce Affected: 0 , ≤ 6.7.12 (semver)
    Create a notification for this product.
    wclovers frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible Affected: 0 , ≤ 6.7.12 (semver)
        cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible",
                "vendor": "wclovers",
                "versions": [
                  {
                    "lessThanOrEqual": "6.7.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8290",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:18:37.127324Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:21:08.505Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Frontend Manager for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "6.7.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:02:07.504Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79172fe3-c0cf-48c4-8bc5-862c628c1a09?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.12/controllers/customers/wcfm-controller-customers-manage.php#L97"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156433/wc-frontend-manager/trunk/controllers/customers/wcfm-controller-customers-manage.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T17:50:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8290",
        "datePublished": "2024-09-25T06:49:01.430Z",
        "dateReserved": "2024-08-28T20:42:11.811Z",
        "dateUpdated": "2026-04-08T17:02:07.504Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-44009 (GCVE-0-2024-44009)

    Vulnerability from cvelistv5 – Published: 2024-09-17 23:02 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress WCFM Marketplace <= 3.6.11 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through <= 3.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    WC Lovers WCFM Marketplace Affected: 0 , ≤ 3.6.11 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:27
    Credits
    Le Ngoc Anh | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-44009",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-18T14:12:36.512226Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-18T14:40:08.035Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wc-multivendor-marketplace",
              "product": "WCFM Marketplace",
              "vendor": "WC Lovers",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.6.12",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.6.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Le Ngoc Anh | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:27:37.080Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.\u003cp\u003eThis issue affects WCFM Marketplace: from n/a through \u003c= 3.6.11.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Reflected XSS.This issue affects WCFM Marketplace: from n/a through \u003c= 3.6.11."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-591",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Reflected XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:16.026Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-3-6-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WCFM Marketplace \u003c= 3.6.11 - Reflected Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-44009",
        "datePublished": "2024-09-17T23:02:19.372Z",
        "dateReserved": "2024-08-18T21:57:50.572Z",
        "dateUpdated": "2026-04-28T16:10:16.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-4960 (GCVE-0-2023-4960)

    Vulnerability from cvelistv5 – Published: 2024-01-11 08:33 – Updated: 2026-04-08 17:34
    VLAI
    Title
    WCFM Marketplace <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:44:53.206Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/views/store-lists/wcfmmp-view-store-lists.php#L207"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/core/class-wcfmmp-shortcode.php#L241"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3000763/wc-multivendor-marketplace#file999"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4960",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:55:38.464664Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:08:18.557Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM Marketplace \u2013 Multivendor Marketplace for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027wcfm_stores\u0027 shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:34:14.145Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/views/store-lists/wcfmmp-view-store-lists.php#L207"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wc-multivendor-marketplace/tags/3.6.1/core/class-wcfmmp-shortcode.php#L241"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3000763/wc-multivendor-marketplace#file999"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-09-13T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-09-13T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-11-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WCFM Marketplace \u003c= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-4960",
        "datePublished": "2024-01-11T08:33:09.984Z",
        "dateReserved": "2023-09-14T14:25:20.291Z",
        "dateUpdated": "2026-04-08T17:34:14.145Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-2275 (GCVE-0-2023-2275)

    Vulnerability from cvelistv5 – Published: 2023-06-09 05:33 – Updated: 2026-04-08 17:15
    VLAI
    Title
    WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API
    Summary
    The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'get_item', 'get_order_notes' and 'add_order_note' functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:19:14.586Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2904331/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2275",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-20T23:23:58.499390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-20T23:36:48.837Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WCFM \u2013 Multivendor Marketplace REST API for WooCommerce",
              "vendor": "wclovers",
              "versions": [
                {
                  "lessThanOrEqual": "1.5.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WooCommerce Multivendor Marketplace \u2013 REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the \u0027get_item\u0027, \u0027get_order_notes\u0027 and \u0027add_order_note\u0027 functions in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers with subscriber privileges or above, to view the order details and order notes, and add order notes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:15:51.530Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L151"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wcfm-marketplace-rest-api/tags/1.5.3/includes/api/class-api-order-controller.php#L175"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2904331/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-04-25T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-04-25T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-04-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WooCommerce Multivendor Marketplace \u2013 REST API \u003c= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-2275",
        "datePublished": "2023-06-09T05:33:28.997Z",
        "dateReserved": "2023-04-25T11:42:13.932Z",
        "dateUpdated": "2026-04-08T17:15:51.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }